flooded by spam

Mariano Absatz mailscanner at LISTS.COM.AR
Tue Mar 4 18:27:55 GMT 2003


Anyway, FTR, this is not a MailScanner problem but a SMTP relay server 
problem.

Every time you have a border server you will experience this kind of things 
and, if you're a big ISP with automatic provisioning, you can't even block 
these names at the border since you never know if one of these will be used 
in two minutes to create a new account.

Nevertheless you should configure your _internal_ servers to reject unknown 
users (you don't want to do this on _external_ servers, since this allows 
address harvesting).

If you are receiving bounces where the envelope from was forged as coming 
from your domain, these bounces should have an envelope from like "<>" and 
the internal server's rejection should make your border server to simply drop 
it (since you can't bounce to "<>").

Regretfully, messages _will_ pass thru your gateway, but they'll be dropped.

Incidentally, 200.149.179.35 is a Brazilian address

whois 200.149.179.35 at whois.lacnic.net 
sends me to Brazil's whois and:
whois 200.149.179.35 at whois.nic.br 
tells me it belongs to "Tele Norte Leste Participações S.A."

Furthermore http://moensted.dk/spam/?addr=200.149.179.35&Submit=Submit shows 
it listed many times, in particular, as an open proxy... most professional 
spammers are abusing proxies nowadays.


El 4 Mar 2003 a las 18:10, Julian Field escribió:

> There have been previous discussions of this issue. Exim is now apparently
> capable of checking recipient addresses against a file/database. Look in
> the Exim docs for things to do with SMTP address/user authentication and
> verification.
> 
> Can anyone remember the Subject: line from the last time this was discussed?
> For that matter, can someone put a FAQ together for this problem please?
> 
> At 17:53 04/03/2003, you wrote:
> >Hello,
> >
> >We are using MailScanner in a gateway (RH AS 2.1) for 7 other mail servers.
> >As MailScanner deals with spam I wish it could handle a problem like ours:)
> >It's a kind of mail flood, highly disturbing and making me to re-evaluate
> >the mail gateway topology usefulness as I'm usin:
> >
> >Our University domain name is used abusively by some villains in the wild.
> >They are mass mailing spam with From/Return fields forged with <random
> >generated user name>@unitbv.ro.
> >Daily, thousands bounced messages are hitting our gateway. It accepts them,
> >scans them, then sends them internally (mailertables) to our domain server
> >which in turn refuses them. The gateway root mailbox is flooded with
> >postmaster notifies and returned messages sent also back to the Internet,
> >etc.
> >
> >Either the IP address of the originating server is forged (less probable),
> >or they are using a lot of relays, as they are always different. Something
> >like:
> >
> >Return-Path: <sashadvrf at unitbv.ro>
> >Received: (qmail 17532 invoked from network); 4 Mar 2003 13:56:42 -0000
> >Received: from unknown (HELO unitbv.ro) (200.149.179.35)
> >   by mail.theofficenet.com with SMTP; 4 Mar 2003 13:56:42 -0000
> >Message-ID: <001510c8cc55$ace12883$17115632 at jfrcoog.fhp>
> >From: <sashadvrf at unitbv.ro>
> >To: <bigmaner at theofficenet.com>
> >Subject: Improve Sense Of well Being
> >310-3
> >Date: Tue, 04 Mar 2003 23:38:17 -1100
> >MIME-Version: 1.0
> >Content-Type: text/html;
> >         charset="iso-8859-1"
> >X-Priority: 3
> >X-Mailer: Microsoft Outlook Express 5.50.4522.1200
> >Importance: Normal
> >
> >(of course IP 200.149.179.35 is far from our address space)
> >
> >Therefore it is not my hope, that the real spammer could be dropped, but it
> >would be better to have the gateway refusing immediately such messages,
> >after RCPT TO. Not starting a whole chain reaction.
> >
> >It seems that sendmail as set in the gateway host, is not able to do it even
> >for its users:
> >
> >mail from:<dani at genie.unitbv.ro>
> >250 2.1.0 <dani at genie.unitbv.ro>... Sender ok
> >rcpt to:<nouser at gwm.unitbv.ro>
> >250 2.1.5 <nouser at gwm.unitbv.ro>... Recipient ok
> >data
> >354 Enter mail, end with "." on a line by itself
> >test
> >.
> >250 2.0.0 h24DukA07795 Message accepted for delivery
> >
> >(which could have to do with sendmail.cf modified by atMail, a webmail
> >server installed on the gateway for another domain)
> >
> >The problem is, to have the gateway checking the user name even before
> >accepting the message in the queue - perhaps off topic. Or checking the
> >content (unitbv.ro not associated with our address space), again before
> >accepting it into the queue(?).
> >
> >Well, any sugestions/help would be highly welcome, thank you!
> >
> >Radu IONESCU
> >Systems Manager, TRANSILVANIA University Brasov
> 
> --
> Julian Field
> www.MailScanner.info
> Professional Support Services at www.MailScanner.biz
> MailScanner thanks transtec Computers for their support


--
Mariano Absatz
El Baby
----------------------------------------------------------
Daddy, why doesn't this magnet pick up this floppy disk?




More information about the MailScanner mailing list